diff --git a/.gitignore b/.gitignore
index 3feae2b..eab66c2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -39,3 +39,4 @@
 /openldap-2.6.5.tgz
 /openldap-2.6.6.tgz
 /openldap-2.6.7.tgz
+/openldap-2.6.8.tgz
diff --git a/openldap-ITS-9921-fix-vlvResult-comment.patch b/openldap-ITS-9921-fix-vlvResult-comment.patch
deleted file mode 100644
index ff059d7..0000000
--- a/openldap-ITS-9921-fix-vlvResult-comment.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 0b4098ca9080e78436cbd9f383047a9583888376 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Mon, 26 Sep 2022 11:55:27 +0100
-Subject: [PATCH] ITS#9921 fix vlvResult comment
-
----
- clients/tools/common.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/clients/tools/common.c b/clients/tools/common.c
-index b88f219b36..3135034ca0 100644
---- a/clients/tools/common.c
-+++ b/clients/tools/common.c
-@@ -2210,7 +2210,7 @@ print_vlv( LDAP *ld, LDAPControl *ctrl )
- 			ber_memfree( bv.bv_val );
- 
- 		tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE,
--			ldif ? "vlvResult" : "vlvResult", buf, rc );
-+			ldif ? "vlvResult: " : "vlvResult", buf, rc );
- 	}
- 
- 	return rc;
--- 
-GitLab
-
diff --git a/openldap-explicitly-cast-private-values.patch b/openldap-explicitly-cast-private-values.patch
deleted file mode 100644
index 80daad6..0000000
--- a/openldap-explicitly-cast-private-values.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From fb9e6a81bbee880549e7ec18f0a74ddddbd2d1ab Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Tue, 6 Feb 2024 21:38:24 -0500
-Subject: [PATCH] ITS#10171 - Explicitly cast private values
-
-Fixes issues with -Werror=incompatible-pointer-types
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
----
- servers/slapd/config.c              | 2 +-
- servers/slapd/overlays/constraint.c | 2 +-
- servers/slapd/overlays/dyngroup.c   | 2 +-
- servers/slapd/overlays/valsort.c    | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/servers/slapd/config.c b/servers/slapd/config.c
-index 80333f359c..987c862d91 100644
---- a/servers/slapd/config.c
-+++ b/servers/slapd/config.c
-@@ -151,7 +151,7 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) {
- 	int rc, arg_user, arg_type, arg_syn, iarg;
- 	unsigned uiarg;
- 	long larg;
--	size_t ularg;
-+	unsigned long ularg;
- 	ber_len_t barg;
- 	
- 	if(Conf->arg_type == ARG_IGNORED) {
-diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
-index f939b37762..0d6156af4d 100644
---- a/servers/slapd/overlays/constraint.c
-+++ b/servers/slapd/overlays/constraint.c
-@@ -557,7 +557,7 @@ done:;
- 				a2->restrict_filter = ap.restrict_filter;
- 				a2->restrict_val = ap.restrict_val;
- 
--				for ( app = &on->on_bi.bi_private; *app; app = &(*app)->ap_next )
-+				for ( app = (constraint **)&on->on_bi.bi_private; *app; app = &(*app)->ap_next )
- 					/* Get to the end */ ;
- 
- 				a2->ap_next = *app;
-diff --git a/servers/slapd/overlays/dyngroup.c b/servers/slapd/overlays/dyngroup.c
-index 5d890d6650..e0e70af2d9 100644
---- a/servers/slapd/overlays/dyngroup.c
-+++ b/servers/slapd/overlays/dyngroup.c
-@@ -111,7 +111,7 @@ static int dgroup_cf( ConfigArgs *c )
- 		 */
- 		a2 = ch_malloc( sizeof(adpair) );
- 
--		for ( app = &on->on_bi.bi_private; *app; app = &(*app)->ap_next )
-+		for ( app = (adpair **)&on->on_bi.bi_private; *app; app = &(*app)->ap_next )
- 			/* Get to the end */ ;
- 
- 		a2->ap_mem = ap.ap_mem;
-diff --git a/servers/slapd/overlays/valsort.c b/servers/slapd/overlays/valsort.c
-index 3d998e2fcb..e251500d0b 100644
---- a/servers/slapd/overlays/valsort.c
-+++ b/servers/slapd/overlays/valsort.c
-@@ -201,7 +201,7 @@ valsort_cf_func(ConfigArgs *c) {
- 		return(1);
- 	}
- 
--	for ( vip = &on->on_bi.bi_private; *vip; vip = &(*vip)->vi_next )
-+	for ( vip = (valsort_info **)&on->on_bi.bi_private; *vip; vip = &(*vip)->vi_next )
- 		/* Get to the end */ ;
- 
- 	vi = ch_malloc( sizeof(valsort_info) );
--- 
-GitLab
-
diff --git a/openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch b/openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
new file mode 100644
index 0000000..3663f3f
--- /dev/null
+++ b/openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
@@ -0,0 +1,92 @@
+From 5f4569f0605a73eb1a282ee5251ead073ed3b26e Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@redhat.com>
+Date: Tue, 26 Nov 2024 12:32:07 -0800
+Subject: [PATCH] libldap: avoid SSL context cleanup during library destruction
+
+Given that libldap can be pulled into random applications and applications
+are allowed to call OPENSSL_cleanup() before exiting, the only sane thing
+to do is to avoid trying to touch SSL context in ldap destructors, and just
+let them leak if the application does not explicitly free the ldap context.
+
+Add ldap_int_tls_destroy_safe() which skips SSL context cleanup while
+maintaining all other cleanup operations, and use it in the library
+destructor path.
+
+Fixes: https://bugs.openldap.org/show_bug.cgi?id=9952
+---
+ libraries/libldap/init.c     |  2 +-
+ libraries/libldap/ldap-int.h |  1 +
+ libraries/libldap/tls2.c     | 25 +++++++++++++++++++++----
+ 3 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index 213276b4b5..aa017f4128 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -545,7 +545,7 @@ ldap_int_destroy_global_options(void)
+ 	}
+ #endif
+ #ifdef HAVE_TLS
+-	ldap_int_tls_destroy( gopts );
++	ldap_int_tls_destroy_safe( gopts );
+ #endif
+ }
+ 
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 7e754775e8..b73097ccc7 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -914,6 +914,7 @@ LDAP_F (int) ldap_int_tls_start LDAP_P(( LDAP *ld,
+ 	LDAPConn *conn, LDAPURLDesc *srv ));
+ 
+ LDAP_F (void) ldap_int_tls_destroy LDAP_P(( struct ldapoptions *lo ));
++LDAP_F (void) ldap_int_tls_destroy_safe LDAP_P(( struct ldapoptions *lo ));
+ 
+ /*
+  *	in getvalues.c
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 0841005a59..82f8573602 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -97,10 +97,14 @@ tls_ctx_ref( tls_ctx *ctx )
+ static ldap_pvt_thread_mutex_t tls_def_ctx_mutex;
+ #endif
+ 
+-void
+-ldap_int_tls_destroy( struct ldapoptions *lo )
+-{
+-	if ( lo->ldo_tls_ctx ) {
++/*
++ * Implementation function that handles all cleanup.
++ * skip_ctx_cleanup: 1 when called from destructor, 0 for normal operation
++ */
++static void
++ldap_int_tls_destroy_impl( struct ldapoptions *lo, int skip_ctx_cleanup )
++ {
++	if ( lo->ldo_tls_ctx && !skip_ctx_cleanup ) {
+ 		ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
+ 		lo->ldo_tls_ctx = NULL;
+ 	}
+@@ -147,6 +151,19 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
+ 	BER_BVZERO( &lo->ldo_tls_pin );
+ }
+ 
++
++void
++ldap_int_tls_destroy( struct ldapoptions *lo )
++{
++	ldap_int_tls_destroy_impl(lo, 0);
++}
++
++/* Safe version for destructor use */
++void ldap_int_tls_destroy_safe( struct ldapoptions *lo )
++{
++	ldap_int_tls_destroy_impl(lo, 1);
++}
++
+ /*
+  * Tear down the TLS subsystem. Should only be called once.
+  */
+-- 
+2.47.0
+
diff --git a/openldap-slapi-fix-plugin-plugin_pblock_new-usage.patch b/openldap-slapi-fix-plugin-plugin_pblock_new-usage.patch
deleted file mode 100644
index dda0f52..0000000
--- a/openldap-slapi-fix-plugin-plugin_pblock_new-usage.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From c7a4bd27f5dcf93806972aab236001f1d4801e80 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Wed, 31 Jan 2024 16:00:30 +0000
-Subject: [PATCH] ITS#10166 slapi: fix plugin.c plugin_pblock_new() usage
-
-Broken in 9142da8eaf691720f7d6288954250ef085bd3da0
----
- servers/slapd/slapi/plugin.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/servers/slapd/slapi/plugin.c b/servers/slapd/slapi/plugin.c
-index ca5dbead59..bfa5c10344 100644
---- a/servers/slapd/slapi/plugin.c
-+++ b/servers/slapd/slapi/plugin.c
-@@ -694,7 +694,7 @@ slapi_int_read_config(
- 		int rc;
- 		Slapi_PBlock *pPlugin;
- 
--		pPlugin = plugin_pblock_new( iType, numPluginArgc, c->argv );
-+		pPlugin = plugin_pblock_new( iType, numPluginArgc, c );
- 		if (pPlugin == NULL) {
- 			return 1;
- 		}
diff --git a/openldap.spec b/openldap.spec
index c22ac4f..f82712c 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -16,8 +16,8 @@
 %global __brp_remove_la_files %nil
 
 Name: openldap
-Version: 2.6.7
-Release: 7%{?dist}
+Version: 2.6.8
+Release: 1%{?dist}
 Summary: LDAP support libraries
 License: OLDAP-2.8
 URL: http://www.openldap.org/
@@ -50,10 +50,7 @@ Patch6: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
 # System-wide default for CA certs
 Patch7: openldap-openssl-manpage-defaultCA.patch
 Patch8: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
-Patch9: openldap-explicitly-cast-private-values.patch
-# Needed for openldap-servers build
-Patch10: openldap-slapi-fix-plugin-plugin_pblock_new-usage.patch
-Patch11: openldap-ITS-9921-fix-vlvResult-comment.patch
+Patch9: openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
 
 # check-password module specific patches
 Patch90: check-password-makefile.patch
@@ -176,10 +173,6 @@ pushd openldap-%{version}
 %patch -P7 -p1
 %patch -P8 -p1
 %patch -P9 -p1
-%if %{with servers}
-%patch -P10 -p1
-%endif
-%patch -P11 -p1
 
 # build smbk5pwd with other overlays
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@@ -497,6 +490,7 @@ exit 0
 %{_libdir}/openldap/home*
 %{_libdir}/openldap/lloadd*
 %{_libdir}/openldap/memberof*
+%{_libdir}/openldap/nestgroup*
 %{_libdir}/openldap/otp*
 %{_libdir}/openldap/pcache*
 %{_libdir}/openldap/ppolicy*
@@ -566,6 +560,10 @@ exit 0
 %endif
 
 %changelog
+* Mon Dec 16 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.8-1
+- Rebase to version 2.6.8 (RHEL-71052)
+- Avoid SSL context cleanup during library destruction (RHEL-68424)
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.6.7-7
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018
diff --git a/sources b/sources
index d27ec13..a2fd447 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (openldap-ppolicy-check-password-1.1.tar.gz) = a92854d7438cb95fac361da80a49d084d502155e8ce0ad2ea679db9529bbe0182aa4354e6139793c775e496349375d8f017678941d23315ff1c20fefc9573cdc
-SHA512 (openldap-2.6.7.tgz) = ea207b84fdb7bc6cdff2bc1201fcdde6a907f5766f9637589d956ca86ecf61d4e732ab7d80f33b18b691644e1f5fa39b00ff2c7f4084c9b85760ee693a7c451e
+SHA512 (openldap-2.6.8.tgz) = c86bda8a0af2645e586d56a1494a5bd486ec5dd55c47859dbabcc2bb6ddc0a8307e23c6b58228d49ee3c8bc5e4d6ead305863442efdcee3dc2ab9953097b5a77