move things around so hpn applies cleanly when using X509

--- servconf.c
+++ servconf.c
@@ -106,6 +106,18 @@
 	options->log_level = SYSLOG_LEVEL_NOT_SET;
 	options->rhosts_rsa_authentication = -1;
 	options->hostbased_authentication = -1;
+
+	options->hostbased_algorithms = NULL;
+	options->pubkey_algorithms = NULL;
+	ssh_x509flags_initialize(&options->x509flags, 1);
+#ifndef SSH_X509STORE_DISABLED
+	ssh_x509store_initialize(&options->ca);
+#endif /*ndef SSH_X509STORE_DISABLED*/
+#ifdef SSH_OCSP_ENABLED
+	options->va.type = -1;
+	options->va.certificate_file = NULL;
+	options->va.responder_url = NULL;
+#endif /*def SSH_OCSP_ENABLED*/
 	options->hostbased_uses_name_from_packet_only = -1;
 	options->rsa_authentication = -1;
 	options->pubkey_authentication = -1;
@@ -146,18 +158,6 @@
 	options->permit_tun = -1;
 	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
-
-	options->hostbased_algorithms = NULL;
-	options->pubkey_algorithms = NULL;
-	ssh_x509flags_initialize(&options->x509flags, 1);
-#ifndef SSH_X509STORE_DISABLED
-	ssh_x509store_initialize(&options->ca);
-#endif /*ndef SSH_X509STORE_DISABLED*/
-#ifdef SSH_OCSP_ENABLED
-	options->va.type = -1;
-	options->va.certificate_file = NULL;
-	options->va.responder_url = NULL;
-#endif /*def SSH_OCSP_ENABLED*/
 }
 
 void
@@ -329,6 +329,16 @@
 	/* Portable-specific options */
 	sUsePAM,
 	/* Standard Options */
+	sHostbasedAlgorithms,
+	sPubkeyAlgorithms,
+	sX509KeyAlgorithm,
+	sAllowedClientCertPurpose,
+	sKeyAllowSelfIssued, sMandatoryCRL,
+	sCACertificateFile, sCACertificatePath,
+	sCARevocationFile, sCARevocationPath,
+	sCAldapVersion, sCAldapURL,
+	sVAType, sVACertificateFile,
+	sVAOCSPResponderURL,
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 	sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
@@ -351,16 +361,6 @@
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand,
 	sUsePrivilegeSeparation,
-	sHostbasedAlgorithms,
-	sPubkeyAlgorithms,
-	sX509KeyAlgorithm,
-	sAllowedClientCertPurpose,
-	sKeyAllowSelfIssued, sMandatoryCRL,
-	sCACertificateFile, sCACertificatePath,
-	sCARevocationFile, sCARevocationPath,
-	sCAldapVersion, sCAldapURL,
-	sVAType, sVACertificateFile,
-	sVAOCSPResponderURL,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
--- Makefile.in
++ Makefile.in
@@ -44,11 +44,12 @@
 CC=@CC@
 LD=@LD@
 CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
+CPPFLAGS += @LDAP_CPPFLAGS@
 AR=@AR@
 AWK=@AWK@
 RANLIB=@RANLIB@