There is currently a $::realm based variation in the ::mediawiki::users Puppet class for the User['mwdeploy'] define to vary the default shell. It whould be nice if we could resolve the difference between production and labs LDAP so that this variation was not necessary.
I used the mwdeploy user in deployment-prep as the controlling user for the scap runs that are performed by puppet. The ::beta::scap::* classes configure the user to have an ssh keypair that is used to make the ssh command and control connections when scap is run via the /usr/local/bin/wfm-beta-scap wrapper script.
We could either pick/create another user to transfer the ssh key to for beta or change Puppet to give the mwdeploy user a /bin/bash default shell in production.