Some of the planned FreeIPA features are not compatible with old versions and require all FreeIPA servers to be on some minimal version in order to work properly.

The first consumers will be:

• Topology plugin (#4302): automated replication agreement management that requires FreeIPA 4.2 version on all replicas in order to work.
• Replica installation by client promotion (#2888): requires Custodia service to be present on the replica it installs from, in order to read secrets. This may or may not be implemented via Domain Levels, it may also be just checked online during installation, to see if Custodia is there.

Scope of the work

• Maintaining supported domain levels in FreeIPA server objects (cn=masters)
• Adding CLI for raising the domain level (including validation of the pre-requisites)
• Adding "Default domain level" configuration to FreeIPA that is then used by ipa-server-install for new instances. The assumption is that it will be the newest one, under normal conditions. It should be possible to force lower supported domain level in the installer.