diff -ruN openssh-4.5p1+x509-6.1/aclocal.m4 openssh-4.5p1+x509-6.1.1/aclocal.m4
--- openssh-4.5p1+x509-6.1/aclocal.m4	2007-10-25 19:06:00.000000000 +0300
+++ openssh-4.5p1+x509-6.1.1/aclocal.m4	2008-03-31 22:06:00.000000000 +0300
@@ -1,4 +1,4 @@
-dnl $Id$
+dnl $Id: aclocal.m4,v 1.6 2005/09/19 16:33:39 tim Exp $
 dnl
 dnl OpenSSH-specific autoconf macros
 dnl
@@ -84,221 +84,3 @@
 #include <sys/socket.h>])
 ])
 
-
-# Options to build with LDAP
-#
-# Author: Roumen Petrov
-# Revision: 19 Jul 2005
-#
-dnl The variables provided are :
-dnl - build flags:
-dnl     LDAP_LDFLAGS
-dnl     LDAP_LIBS
-dnl     LDAP_CPPFLAGS
-dnl - conditional:
-dnl     LDAP_ON   (e.g. '' or '#')
-dnl     LDAP_OFF  (e.g. '#' or '' - oposite of LDAP_ON)
-dnl - paths:
-dnl     LDAP_BINDIR
-dnl     LDAP_LIBEXECDIR
-dnl     LDAP_SYSCONFDIR
-
-AC_DEFUN([AC_WITH_LDAP],
-[
-dnl
-dnl Get the ldap paths
-dnl
-
-ac_ldap='none'
-AC_ARG_ENABLE(ldap,
-  [  --enable-ldap           Enable LDAP queries],
-  ac_ldap="$enableval"
-)
-
-if test "x$ac_ldap" = xyes; then
-  ac_ldap_prefix=""
-  AC_ARG_WITH(ldap-prefix,
-    [  --with-ldap-prefix=PATH      Prefix where LDAP is installed (optional)],
-    ac_ldap_prefix="$withval"
-  )
-
-  AC_ARG_WITH(ldap-bindir,
-    [  --with-ldap-bindir=PATH      Prefix where LDAP user executables are installed (optional)],
-    [LDAP_BINDIR="$withval"],
-    [
-      if test "x$ac_ldap_prefix" != "x"; then
-        LDAP_BINDIR="$ac_ldap_prefix/bin"
-      fi
-    ]
-  )
-  AC_SUBST(LDAP_BINDIR)
-
-  AC_ARG_WITH(ldap-libexecdir,
-    [  --with-ldap-libexecdir=PATH  Prefix where LDAP program executables are installed (optional)],
-    [LDAP_LIBEXECDIR="$withval"],
-    [
-      if test "x$ac_ldap_prefix" = "x"; then
-        LDAP_LIBEXECDIR="/usr/libexec"
-      else
-        LDAP_LIBEXECDIR="$ac_ldap_prefix/libexec"
-      fi
-    ]
-  )
-  AC_SUBST(LDAP_LIBEXECDIR)
-dnl### Check for slapd
-dnl  if test "x$cross_compiling" = "xyes" ; then
-dnl    AC_MSG_NOTICE([cannot check for LDAP daemon when cross compiling])
-dnl  else
-dnl    AC_CHECK_FILES(
-dnl      [
-dnl        $LDAP_LIBEXECDIR/slapd
-dnl      ]
-dnl    )
-dnl  fi
-
-  AC_ARG_WITH(ldap-sysconfdir,
-    [  --with-ldap-sysconfdir=PATH  Prefix where LDAP single-machine data are installed (optional)],
-    [LDAP_SYSCONFDIR="$withval"],
-    [LDAP_SYSCONFDIR="$ac_ldap_prefix/etc/openldap"]
-  )
-  AC_SUBST(LDAP_SYSCONFDIR)
-dnl### Check for schema files
-dnl  if test "x$cross_compiling" = "xyes" ; then
-dnl    AC_MSG_NOTICE([cannot check for schema files existence when cross compiling])
-dnl  else
-dnl    AC_CHECK_FILES(
-dnl      [
-dnl        $LDAP_SYSCONFDIR/schema/core.schema
-dnl        $LDAP_SYSCONFDIR/schema/cosine.schema
-dnl        $LDAP_SYSCONFDIR/schema/inetorgperson.schema
-dnl      ]
-dnl    )
-dnl  fi
-
-
-  AC_ARG_WITH(ldap-libdir,
-    [  --with-ldap-libdir=PATH      Prefix where LDAP libaries are installed (optional)],
-    [LDAP_LDFLAGS="-L$withval"],
-    [
-      if test "x$ac_ldap_prefix" != "x"; then
-        LDAP_LDFLAGS="-L$ac_ldap_prefix/lib"
-      else
-        LDAP_LDFLAGS=""
-      fi
-    ]
-  )
-  AC_SUBST(LDAP_LDFLAGS)
-
-  AC_ARG_WITH(ldap-includedir,
-    [  --with-ldap-includedir=PATH  Prefix where LDAP header files are installed (optional)],
-    [LDAP_CPPFLAGS="-I$withval"],
-    [
-      if test "x$ac_ldap_prefix" != "x"; then
-        LDAP_CPPFLAGS="-I$ac_ldap_prefix/include"
-      else
-        LDAP_CPPFLAGS=""
-      fi
-    ]
-  )
-  AC_SUBST(LDAP_CPPFLAGS)
-
-
-  ac_save_CPPFLAGS="$CPPFLAGS"
-  CPPFLAGS="$CPPFLAGS $LDAP_CPPFLAGS"
-  AC_CHECK_HEADERS(
-    [lber.h ldap.h],
-    [],
-    [
-      AC_MSG_ERROR([cannot found LDAP headers])
-    ]
-  )
-  CPPFLAGS="$ac_save_CPPFLAGS"
-
-  ac_ldap_libs=""
-  AC_ARG_WITH(ldap-libs,
-    [  --with-ldap-libs=LIBS        Specify LDAP libraries to link with.
-                                 (default is -lldap -llber -lssl -lcrypto)],
-    [ac_ldap_libs="$withval"]
-  )
-
-### Try to link with LDAP libs
-  ac_save_LDFLAGS="$LDFLAGS"
-  ac_save_LIBS="$LIBS"
-
-  LDFLAGS="$LDAP_LDFLAGS $LDFLAGS"
-  ac_LDAP_LINK=""
-  if test "x$ac_ldap_libs" != "x"; then
-    AC_MSG_CHECKING([to link with specified LDAP libs])
-
-    LDAP_LIBS="$ac_ldap_libs"
-    LIBS="$LDAP_LIBS $ac_save_LIBS"
-    AC_LINK_IFELSE(
-      [AC_LANG_CALL([], [ldap_init])],
-      [ac_LDAP_LINK="yes"]
-    )
-    if test "x$ac_LDAP_LINK" != "xyes"; then
-      AC_MSG_ERROR([cannot link with specified LDAP libs])
-    fi
-  else
-    AC_MSG_CHECKING([how to link LDAP libs])
-
-    LDAP_LIBS="-lldap"
-    for L in lber ssl crypto; do
-      LDAP_LIBS="$LDAP_LIBS -l$L"
-      LIBS="$LDAP_LIBS $ac_save_LIBS"
-      AC_LINK_IFELSE(
-        [AC_LANG_CALL([], [ldap_init])],
-        [ac_LDAP_LINK="yes"]
-      )
-      if test "x$ac_LDAP_LINK" = "xyes"; then
-        break
-      fi
-    done
-    if test "x$ac_LDAP_LINK" != "xyes"; then
-      AC_MSG_ERROR([cannot link with default LDAP libs])
-    fi
-  fi
-  AC_MSG_RESULT([done])
-  LIBS="$ac_save_LIBS"
-  LDFLAGS="$ac_save_LDFLAGS"
-  AC_SUBST([LDAP_LIBS])
-else
-  AC_MSG_NOTICE([LDAP is disabled])
-fi
-
-if test "x$ac_ldap" = "xyes"; then
-	AC_DEFINE_UNQUOTED(
-		LDAP_ENABLED, 1,
-		[Define if you want to enable LDAP queries])
-	LDAP_ON=''
-	LDAP_OFF='#'
-else
-	LDAP_ON='#'
-	LDAP_OFF=''
-fi
-AC_SUBST(LDAP_ON)
-AC_SUBST(LDAP_OFF)
-])
-
-
-# AC_LDAP_FUNCS(FUNCTION...)
-# --------------------------------
-AC_DEFUN([AC_LDAP_FUNCS],
-[
-dnl
-dnl Check ldap functions
-dnl
-AC_REQUIRE([AC_WITH_LDAP])
-if test "x$ac_ldap" = "xyes"; then
-  ac_save_CPPFLAGS="$CPPFLAGS"
-  ac_save_LDFLAGS="$LDFLAGS"
-  ac_save_LIBS="$LIBS"
-  CPPFLAGS="$CPPFLAGS $LDAP_CPPFLAGS"
-  LDFLAGS="$LDFLAGS $LDAP_LDFLAGS"
-  LIBS="$LDAP_LIBS $LIBS"
-  AC_CHECK_FUNCS([$1],[],[])
-  LIBS="$ac_save_LIBS"
-  LDFLAGS="$ac_save_LDFLAGS"
-  CPPFLAGS="$ac_save_CPPFLAGS"
-fi
-])
diff -ruN openssh-4.5p1+x509-6.1/authfile.c openssh-4.5p1+x509-6.1.1/authfile.c
--- openssh-4.5p1+x509-6.1/authfile.c	2006-11-08 09:06:01.000000000 +0200
+++ openssh-4.5p1+x509-6.1.1/authfile.c	2008-03-31 22:06:01.000000000 +0300
@@ -518,6 +518,7 @@
 		    "unknown EVP_PKEY save_type %d", pk->save_type);
 	}
 	if (prv) {
+		lseek(fd, (off_t) 0, SEEK_SET);         /* rewind */
 		x509key_load_cert(prv, fp);
 		if (prv->x509 != NULL) {
 			if (!X509_check_private_key(prv->x509, pk)) {
diff -ruN openssh-4.5p1+x509-6.1/configure openssh-4.5p1+x509-6.1.1/configure
--- openssh-4.5p1+x509-6.1/configure	2007-10-25 19:06:02.000000000 +0300
+++ openssh-4.5p1+x509-6.1.1/configure	2008-03-31 22:06:02.000000000 +0300
@@ -1815,6 +1815,19 @@
 
 
 
+# Options to build with LDAP
+#
+# Author: Roumen Petrov
+# Revision: 22 Oct 2007
+#
+
+
+
+
+# AC_LDAP_FUNCS(FUNCTION...)
+# --------------------------------
+
+
 
 ac_config_headers="$ac_config_headers config.h"
 
@@ -31860,6 +31873,7 @@
 
 	OCSP_ON=''
 	OCSP_OFF='#'
+	LIBS="-lssl $LIBS"
 else
 	OCSP_ON='#'
 	OCSP_OFF=''
diff -ruN openssh-4.5p1+x509-6.1/configure.ac openssh-4.5p1+x509-6.1.1/configure.ac
--- openssh-4.5p1+x509-6.1/configure.ac	2007-10-25 19:06:00.000000000 +0300
+++ openssh-4.5p1+x509-6.1.1/configure.ac	2008-03-31 22:06:00.000000000 +0300
@@ -17,6 +17,7 @@
 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
 AC_REVISION($Revision: 1.370 $)
 AC_CONFIG_SRCDIR([ssh.c])
+m4_include([m4/ldap.m4])
 
 AC_CONFIG_HEADER(config.h)
 AC_PROG_CC
@@ -3706,6 +3707,7 @@
 		[Define if you don't want to validate X.509 certificates with OCSP])
 	OCSP_ON=''
 	OCSP_OFF='#'
+	LIBS="-lssl $LIBS"
 else
 	OCSP_ON='#'
 	OCSP_OFF=''
diff -ruN openssh-4.5p1+x509-6.1/Makefile.in openssh-4.5p1+x509-6.1.1/Makefile.in
--- openssh-4.5p1+x509-6.1/Makefile.in	2006-11-08 09:06:01.000000000 +0200
+++ openssh-4.5p1+x509-6.1.1/Makefile.in	2008-03-31 22:06:01.000000000 +0300
@@ -401,13 +401,10 @@
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 
 
-tests: check
-
 # Target check is more common for the projects using autoXXXX tools
+check: tests
 
-check: check-regress check-certs
-
-check-regress: $(TARGETS)
+tests:	$(TARGETS)
 	BUILDDIR=`pwd`; \
 	[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress; \
 	[ -f `pwd`/regress/Makefile ]  || \
@@ -438,8 +435,8 @@
 		TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
 		TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
 		EXEEXT="$(EXEEXT)" \
-		tests
-
+		$@
+	$(MAKE) check-certs
 
 check-certs: $(TARGETS)
 	@BUILDDIR="`pwd`"; \
@@ -479,3 +476,6 @@
 		sh buildpkg.sh; \
 	fi
 
+depend:
+	(cd openbsd-compat && $(MAKE) $@)
+	makedepend -- $(CPPFLAGS) $(CFLAGS) -- $(srcdir)/*.c
diff -ruN openssh-4.5p1+x509-6.1/openbsd-compat/Makefile.in openssh-4.5p1+x509-6.1.1/openbsd-compat/Makefile.in
--- openssh-4.5p1+x509-6.1/openbsd-compat/Makefile.in	2006-08-30 20:24:41.000000000 +0300
+++ openssh-4.5p1+x509-6.1.1/openbsd-compat/Makefile.in	2008-03-31 22:06:01.000000000 +0300
@@ -40,3 +40,6 @@
 
 distclean: clean
 	rm -f Makefile *~
+
+depend:
+	makedepend -- $(CPPFLAGS) $(CFLAGS) -- $(srcdir)/*.c
diff -ruN openssh-4.5p1+x509-6.1/README.x509v3 openssh-4.5p1+x509-6.1.1/README.x509v3
--- openssh-4.5p1+x509-6.1/README.x509v3	2007-10-24 00:53:39.000000000 +0300
+++ openssh-4.5p1+x509-6.1.1/README.x509v3	2008-03-31 20:43:34.000000000 +0300
@@ -1,6 +1,6 @@
                                                           Roumen Petrov
                                                         Sofia, Bulgaria
-                                                        Wed Oct 24 2007
+                                                        Mon Mar 31 2008
 
 How to use X.509 certificates with OpenSSH?
 
@@ -196,7 +196,7 @@
 
 3.) test X.509 certificates.
 
-3.1.) In openssh build dir run "make check" or "make test".
+3.1.) In openssh build dir run "make check" or "make tests".
   Both commands are equivalent and run regression tests.
   If you want to test only X.509 certificates you can run
 $ make check-certs
diff -ruN openssh-4.5p1+x509-6.1/tests/CA/config openssh-4.5p1+x509-6.1.1/tests/CA/config
--- openssh-4.5p1+x509-6.1/tests/CA/config	2007-10-22 22:30:27.000000000 +0300
+++ openssh-4.5p1+x509-6.1.1/tests/CA/config	2008-02-25 22:07:50.000000000 +0200
@@ -182,8 +182,11 @@
 SSH_OPENSLL_OCSP_TMOUT=60
 
 # === LDAP:
-#SSH_LDAP_DB=bdb
-SSH_LDAP_DB=ldbm
+SSH_LDAP_DB=bdb
+# "hdb" backend since openldap 2.2+
+#SSH_LDAP_DB=hdb
+# openldap 2.4+ deprecate "ldbm" backend
+#SSH_LDAP_DB=ldbm
 SSH_LDAP_DC="dc=example,dc=com"
 
 if test -z "${LDAPD_PORT}"; then
diff -ruN openssh-4.5p1+x509-6.1/tests/CA/test-by_ldap.sh.inc openssh-4.5p1+x509-6.1.1/tests/CA/test-by_ldap.sh.inc
--- openssh-4.5p1+x509-6.1/tests/CA/test-by_ldap.sh.inc	2007-10-22 22:30:52.000000000 +0300
+++ openssh-4.5p1+x509-6.1.1/tests/CA/test-by_ldap.sh.inc	2008-02-25 22:07:50.000000000 +0200
@@ -69,7 +69,7 @@
   cat <<EOF
 include		$CWD/ldap/slapd.conf.tmpl
 
-# dbms backend settings should be same file !
+# dbms backend settings must be in same file !
 # this is required for openldap version 2.3.32(but not for <= 2.3.20,2.2.x,2.1.x)
 database	$SSH_LDAP_DB
 suffix		"$SSH_LDAP_DC"