[18:36:12] <cdanis>	 moritzm: jbond42: not sure that either/both of you are still around for the week, but, one of the things I'd like to support in Klaxon is that anyone who has 'deployment'-level access can send us a page.  however those groups are all Puppet admin module concepts, and I think not reflected in LDAP/CAS in any way, right?
[18:36:38] <cdanis>	 (*most* of those people fall into wmf/wmde/nda LDAP groups, but I'm not sure that's 100% true)
[18:51:10] <jbond42>	 cdanis: thats right the posix groups are not in ldap.  morit.zm may know of some group or combination of which meets your needs.  but if not we should be able to create one.  May even be able to poopulate it from puppet
[18:51:39] <jbond42>	 if not some systemd timer
[18:51:48] <cdanis>	 ok! part of this will also be defining the need, but I think "has a production shell account at all" is probably the bar to use Klaxon ... which maybe the ldap consistency checker already does?
[18:52:15] <cdanis>	 (at first I was thinking "at least deployers" but I think it's probably even broader than that)
[18:57:16] <jbond42>	 yes i think i would agree that seems like a good barrier to me and can always make it more srict if needed
[18:58:06] <jbond42>	 i just took a look and couldn;t see anything obvious we could reuse in the ldap automating that shouldn;t b too hard
[19:20:07] <moritzm>	 we don't map this to LDAP yet, but we can add a new LDAP group like cn=shellaccess which gets auto-synched every day based on what's in production groups
[19:20:31] <moritzm>	 the other ones are too broad, most people only use cn=wmf or cn=nda for access to the web-based services
[19:25:54] <cdanis>	 cn=shellaccess would be useful for this use case and I suspect others as well
[19:26:13] * cdanis happy to file a task
[20:47:29] <cdanis>	 (https://phabricator.wikimedia.org/T271587)
[21:19:37] <moritzm>	 ack, I'll look into this next week