--- libnss-ldap/libnss-ldap-261/build-tree/nss_ldap-261/,ldap-nss.c	2010-03-15 10:04:47.593727549 -0500
+++ libnss-ldap/libnss-ldap-261/build-tree/nss_ldap-261/ldap-nss.c	2010-03-17 16:04:16.165226755 -0500
@@ -184,6 +184,7 @@
 static void do_atfork_setup (void);
 #endif
 
+static void do_atexit (void);  /* allow exit to cleanup to help valgrind */
 /*
  * Close the global session, sending an unbind.
  */
@@ -553,11 +554,25 @@
   (void) __libc_atfork (do_atfork_prepare, do_atfork_parent, do_atfork_child);
 #endif
 
+atexit(do_atexit); /* allow exit to cleanup to help valgrind */
+
   debug ("<== do_atfork_setup");
 }
 #endif
 
 /*
+ * allow exit to cleanup to help valgrind
+ */
+void
+do_atexit (void)
+{
+  debug ("<== do_atexit");
+  _nss_ldap_enter();
+  do_close();
+  debug ("==> do_atexit (should be no more activity)");
+}
+
+/*
  * Acquires global lock, blocks SIGPIPE.
  */
 void
@@ -1107,6 +1122,7 @@
 
   debug ("==> do_init");
 
+
   if (_nss_ldap_validateconfig (__config) != NSS_SUCCESS)
     {
       do_close ();
@@ -1236,9 +1252,9 @@
 	}
     }
 
-  __session.ls_conn = NULL;
+/* LOOKS LIKE A PROBLEM. COULD BE INITIALIZED, BUT NOT CONNECTED */
+  if (__session.ls_state == LS_UNINITIALIZED) {
   __session.ls_timestamp = 0;
-  __session.ls_state = LS_UNINITIALIZED;
 
 #if defined(HAVE_PTHREAD_ONCE) && defined(HAVE_PTHREAD_ATFORK)
   if (pthread_once (&__once, do_atfork_setup) != 0)
@@ -1357,6 +1373,10 @@
   __session.ls_state = LS_INITIALIZED;
 
   debug ("<== do_init (initialized session)");
+  } /* if already initialized  but not connected */
+  else {
+    debug ("<== do_init (already initialized)");
+  }
 
   return NSS_SUCCESS;
 }
@@ -1577,6 +1597,7 @@
 	}
       else
 	{
+          syslog(LOG_ERR, "nss-ldap: do_open: do_start_tls failed:stat=%d", stat);
 	  do_close ();
 	  debug ("<== do_open (TLS startup failed)");
 	  return stat;
@@ -2472,6 +2493,7 @@
 #endif /* LDAP_OPT_ERROR_NUMBER */
 	  syslog (LOG_AUTHPRIV | LOG_ERR, "nss_ldap: could not get LDAP result - %s",
 		  ldap_err2string (rc));
+          do_close();
 	  stat = NSS_UNAVAIL;
 	  break;
 	case LDAP_RES_SEARCH_ENTRY:
@@ -2507,6 +2529,7 @@
 		  syslog (LOG_AUTHPRIV | LOG_ERR,
 			  "nss_ldap: could not get LDAP result - %s",
 			  ldap_err2string (rc));
+                  do_close();
 		}
 	      else if (resultControls != NULL)
 		{