got it to work now!
is it possible to restrict the authentication to members of one ldap group with the help of
authentication schema - settings - search filter
you can set "Use Exact Distinguished Name" to "No" and try to add the group restriction to the search filter. As an alternative, create an authorization scheme that does a group search with DBMS_LDAP (the APEX_LDAP group membership functions are specific to Oracle's LDAP server) and apply the authorization scheme at application level. Your application code will have to contain the wallet path and password, though. DBMS_LDAP does not access the wallet information of the APEX instance settings.