Upgrade: fix replica agreement
    
    The upgrade checks the replication agreements to ensure that
    some attributes are excluded from replication. The agreements
    are stored in entries like
    cn=serverToreplica,cn=replica,cn=_suffix_,cn=mapping tree,cn=config
    but those entries are managed by the replication topology plugin
    and should not be updated directly. The consequence is that the update
    of the attributes fails and ipa-server-update prints an error message:
    
    Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling
    to perform: Entry and attributes are managed by topology plugin.No direct
    modifications allowed.
    Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
    unwilling to perform: Entry and attributes are managed by topology
    plugin.No direct modifications allowed.
    
    The upgrade continues but the replication is not excluding
    passwordgraceusertime.
    
    Instead of editing the agreements, perform the modifications on
    the topology segments.
    
    Fixes: https://pagure.io/freeipa/issue/9385
    Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>