Generally, this issue happens when the issuer of the incoming certificate from the LDAPS server to FortiGate in the 'Server Hello' packet is not valid on FortiGate. In this case, it is possible to see the error message 'Alert (Level:Fatal,Description: Unknown CA)' in the PCAP file:

In order to check the imported CA certificate on FortiGate, run the below command and look for the imported CA certificate:

get vpn certificate ca details

Run the below sniffer command via CLI and then go to LDAPS config on FortiGate and select 'Test Connectivity' to to see the possible reasons for failed LDAPS connection:

diag sniffer packet any "host <LDAPS server IP> and port 636" 6 0 l

In this example, it is possible that the issuer of the imported CA certificate does not match the issuer of the certificate coming from the LDAPS server:

get vpn certificate ca details

== [ CA_Cert_1 ]
Name: CA_Cert_1
Subject: DC = com, DC = fortiserver, CN = fortiserver-SELBY-KVM09-CA
Issuer: DC = com, DC = fortiserver, CN = fortiserver-SELBY-KVM09-CA  <-----

While the issuer of the incoming certificate from the LDAPS server is Fortiservice-UNIVERSE-ESX41-CA <-----

The issue is on the LDAPS server and the certificate issue should be resolved on the LDAPS server side.

Related articles:
Technical Tip : Cannot contact LDAP server message when enabled the LDAP over SSL configurations. 

Troubleshooting Tip: Status of LDAP server connected via IPsec VPN shows 'Can't contact LDAP server'