[ovirt-devel] How to create FreeIPA user for ovirt engine (engine-manage-domains)?

Hi, Pretty much any documentation around oVirt use of domains uses an undefined user (engine-manage-domains ... --user=[USER]) and maybe because of that, virtually all the ovirt tutorials that feature FreeIPA/IdM use "admin" user of FreeIPA (engine-manage-domains ... --provider=freeipa --user=admin). This leads to pretty scary situation of administrator password for your identity management system being stored for use by another system (ovirt-engine). So, the right way to do things should be use of a "service user" for engine that would have just enough privileges in FreeIPA to work correctly. So my questions are: 1. what are the necessary permissions for such a service user? 2. how to create such an user? Can it be done throught IPA web UI or does one need to go through the ldif/ldapmodify route? Best regards, David