It would be nice to be able to easily allow anyone who has shell access in production to send SRE pages using Klaxon, or more generally, to recognize this level of access from CAS SSO and from other LDAP clients.
We should add a new LDAP group which gets auto-synched daily from the admin module's data.yaml, the authoritative source of who has prod shell access.
A good name for this group is probably something like cn=prodshellaccess or perhaps cn=prodaccess. (We originally discussed cn=shellaccess, but this might be too easy to confuse with having shell access in either of prod or wmcloud.)