Move things around so hpn applies cleanly when using X509.

--- openssh-5.2p1+x509/Makefile.in
+++ openssh-5.2p1+x509/Makefile.in
@@ -44,11 +44,12 @@
 CC=@CC@
 LD=@LD@
 CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
+CPPFLAGS += @LDAP_CPPFLAGS@
 AR=@AR@
 AWK=@AWK@
 RANLIB=@RANLIB@
--- openssh-5.2p1+x509/servconf.c
+++ openssh-5.2p1+x509/servconf.c
@@ -108,6 +108,17 @@
 	options->log_level = SYSLOG_LEVEL_NOT_SET;
 	options->rhosts_rsa_authentication = -1;
 	options->hostbased_authentication = -1;
+	options->hostbased_algorithms = NULL;
+	options->pubkey_algorithms = NULL;
+	ssh_x509flags_initialize(&options->x509flags, 1);
+#ifndef SSH_X509STORE_DISABLED
+	ssh_x509store_initialize(&options->ca);
+#endif /*ndef SSH_X509STORE_DISABLED*/
+#ifdef SSH_OCSP_ENABLED
+	options->va.type = -1;
+	options->va.certificate_file = NULL;
+	options->va.responder_url = NULL;
+#endif /*def SSH_OCSP_ENABLED*/
 	options->hostbased_uses_name_from_packet_only = -1;
 	options->rsa_authentication = -1;
 	options->pubkey_authentication = -1;
@@ -152,18 +163,6 @@
 	options->adm_forced_command = NULL;
 	options->chroot_directory = NULL;
 	options->zero_knowledge_password_authentication = -1;
-
-	options->hostbased_algorithms = NULL;
-	options->pubkey_algorithms = NULL;
-	ssh_x509flags_initialize(&options->x509flags, 1);
-#ifndef SSH_X509STORE_DISABLED
-	ssh_x509store_initialize(&options->ca);
-#endif /*ndef SSH_X509STORE_DISABLED*/
-#ifdef SSH_OCSP_ENABLED
-	options->va.type = -1;
-	options->va.certificate_file = NULL;
-	options->va.responder_url = NULL;
-#endif /*def SSH_OCSP_ENABLED*/
 }
 
 void
@@ -341,6 +340,16 @@
 	/* Portable-specific options */
 	sUsePAM,
 	/* Standard Options */
+	sHostbasedAlgorithms,
+	sPubkeyAlgorithms,
+	sX509KeyAlgorithm,
+	sAllowedClientCertPurpose,
+	sKeyAllowSelfIssued, sMandatoryCRL,
+	sCACertificateFile, sCACertificatePath,
+	sCARevocationFile, sCARevocationPath,
+	sCAldapVersion, sCAldapURL,
+	sVAType, sVACertificateFile,
+	sVAOCSPResponderURL,
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 	sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
@@ -364,16 +373,6 @@
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sZeroKnowledgePasswordAuthentication,
-	sHostbasedAlgorithms,
-	sPubkeyAlgorithms,
-	sX509KeyAlgorithm,
-	sAllowedClientCertPurpose,
-	sKeyAllowSelfIssued, sMandatoryCRL,
-	sCACertificateFile, sCACertificatePath,
-	sCARevocationFile, sCARevocationPath,
-	sCAldapVersion, sCAldapURL,
-	sVAType, sVACertificateFile,
-	sVAOCSPResponderURL,
 	sDeprecated, sUnsupported
 } ServerOpCodes;