With IPA 1.x access to the configuration partition is permitted only for "cn=Directory Manager", for some common operations like creating replicas or in future configuration changes to some of the plugins (like DNA) it would be better to let admin have select write access and read access to parts on cn=config We should add proper ACIs during v2 timeframe. This will also allow better access to these configuration changes from the web ui.
The delete and manage agreements can be done but new agreements can not be created yet.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1934
Thank you taking your time and submitting this request for FreeIPA in Fedora. Unfortunately, this bug was not given a priority and was deferred both in Fedora and in the upstream FreeIPA project. Given that we are unable to fulfill this request in following Fedora releases, I am closing the Bugzilla as DEFERRED. To request re-consideration of this decision please reopen this Bugzilla and provide additional technical details about its importance to you. Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.