Fix managing winsync replication agreements with ipa-replica-manage

force-sync, re-initialize and del were not working because they
all attempted to contact the AD server. winsync agreements are
managed on the local 389-ds instance.

This also:
- requires root to create winsync agreement (for updating NSS db)
- fixes filter in get_replication_agreement() to work with winsync

https://fedorahosted.org/freeipa/ticket/2128

ipaserver/install/replication.py

@@ -226,7 +226,7 @@ class ReplicationManager(object):
         Returns None if not found.
         """
 
-        filt = "(&(objectclass=nsds5ReplicationAgreement)(nsDS5ReplicaHost=%s))" % hostname
+        filt = "(&(|(objectclass=nsds5ReplicationAgreement)(objectclass=nsDSWindowsReplicationAgreement))(nsDS5ReplicaHost=%s))" % hostname
         try:
             entry = self.conn.search_s("cn=mapping tree,cn=config",
                                        ldap.SCOPE_SUBTREE, filt)