There are three major roles in eDirectory that you need to clearly define:
eDirectory administrator: Needs complete access rights to the tree.
RADIUS administrator: Needs access only to the RADIUS container and users.
The eDirectory administrator can grant the RADIUS administrator rights to read the Universal Password of all users under container C by granting the administrator inheritable write rights to the ACL attribute of C.
After eDirectory is integrated with FreeRADIUS, the RADIUS administrator needs to be given rights to read the login details of the RADIUS users.
RADIUS and eDirectory users: Need access rights as defined by the eDirectory administrator to all of their own attributes. Access to RADIUS attributes is not required.