To perform packet capture from the GUI.

Go to Network -> Packet Capture and create a new filter to capture the LDAPS server traffic. Download and open the captured PCAP file with Wireshark. Filter 'tcp.port==636'.

In the above example, the user can examine when the server replies Hello packet to identify the server certificate details and proceed to check against with following FortiGate configurations.

1. Determine whether the CA certificate has been imported correctly, and FortiGate will accept the LDAP server certificates signed by that CA certificate.
2. Make sure FortiGate is able to resolve the server certificate common name with the correct IP address.

 exec ping winsvr16.fortilab.local 

PING winsvr16.fortilab.local (10.165.2.110): 56 data bytes

64 bytes from 10.165.2.110: icmp_seq=0 ttl=128 time=0.4 ms

If the LDAP server is configured using its IP address, ensure that the LDAP server certificate imported on the firewall includes the server's IP address in either the Common Name (CN) or the Subject Alternative Name (SAN) field. 

3. Check and update the LDAP Server setting to refer to the LDAP server certificate common.

  config user ldap

            edit "LDAPS"

          set server "winsvr16.fortilab.local"   <<<

          set secure ldaps

          set ca-cert "CA_Cert_1"

          set port 636

         next

      end

Related articles:

Technical Tip: FortiGate is unable to contact to LDAPS server, receives error message 'Can't contact...

Troubleshooting Tip: Status of LDAP server connected via IPsec VPN shows 'Can't contact LDAP server'