You may want to add or select an LDAP group to represent the people who should have access, like we do: https://github.com/mozilla/build-puppet/blob/master/manifests/moco-config.pp#L151 default => hiera('ldap_admin_users', # backup to ensure access in case the sync fails: ['arr', 'dmitchell', 'jwatkins']) that way changes to the LDAP group are automatically reflected in the config. vpn_qa_scl3 might be a good place to start.
Created attachment 8518494 [details] [diff] [review] ldap_group v1
Created attachment 8518496 [details] [diff] [review] ldap_group v1.1 Missed to remove a closing bracket.
http://hg.mozilla.org/qa/puppet/rev/a34a295df66b (default) http://hg.mozilla.org/qa/puppet/rev/0a6e2e7a985f (production)