We should check if the user can perform a critically privileged operation necessary for joining a replica.
If we had a Replica Admins group we might use that, but we don't, and it may still not be appropriate.
We shouldn't have blanket checks on some magical group though as that will break later if we add delegation rules for this operation. For example we have future plans to allow a preissued OTP/keytab to create a new repliuca. The identity associated with that keytab will Definitely Not be in the admins group.

master:

• e137f30 aci: allow members of ipaservers to set up replication
• 662158b ipautil: use file in a temporary dir as ccache in private_ccache
• c2af409 replica promotion: use host credentials when setting up replication
• 4254448 replica promotion: automatically add the local host to ipaservers
• 01ddf51 custodia: do not modify memberPrincipal on key update

The ipaservers membership check is done too early and may fail with "not found" error in domain level 0.

Reopening the ticket.

master:

• b4a78db replica promotion: check domain level before ipaservers membership