The default mech is EXTERNAL and in ipa-adtrust-install the root user is mapped to the directory manager which does have permissions to modify cn=config.
However, if the user has configured SASL_MECH configuration option, e.g. to 'SASL_MECH GSSAPI', we will bind as admin user, which does not have the permissions to modify cn=config.
This can be reproduced creating a /root/.ldaprc file with the following content
SASL_MECH GSSAPI
Duplicate to #3895.
Metadata Update from @tbabej: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.