Now I did try it out and think I found a solution to your problem:
access to dn.children="ou=users,dc=test,dc=com" filter="(objectClass=radiusprofile)" by dn=cn=radius,ou=sa,dc=test,dc=com read by users read
access to dn.children="ou=users,dc=test,dc=com" by dn=cn=radius,ou=sa,dc=test,dc=com none by users read
access to dn.base="ou=users,dc=test,dc=com" by users read
Does this work for you?
hi peter, the acl statements you provided are working. deploying them in our productive environment requires rewriting plenty of the existing acls. due to the risks associated with messing with the acls unfortunately I'll have to postpone the modifications to the time between christmas and new year's. nevertheless thank you for your effort on finding a solution to my problem.
cheers,
marvin