Yes, it is possible to fetch LDAP users directly in security policies on a FortiGate firewall without creating user objects. FortiGate supports LDAP authentication for user-based security policies.

To configure this, you need to set up the LDAP server settings and configure the security policies accordingly. Here's a general outline of the steps involved:

1. Configure the LDAP Server:
- Go to "User & Device" > "Authentication" > "LDAP Servers" in the FortiGate web interface.
- Click on "Create New" to configure a new LDAP server.
- Provide the necessary details such as server IP address, port, protocol, and authentication credentials.
- Test the connection to ensure that the FortiGate can communicate with the LDAP server successfully.

2. Configure Security Policies:
- Go to "Policy & Objects" > "IPv4 Policy" (or "IPv6 Policy") in the FortiGate web interface.
- Create or edit an existing security policy that you want to apply LDAP authentication to.
- In the "Source User" field, select "LDAP" instead of a specific user or user group.
- Specify the relevant source IP, destination, and service information for the policy.

By configuring the security policy to use LDAP as the source user, the FortiGate firewall will query the LDAP server during the authentication process to validate the user credentials.

Keep in mind that the LDAP server needs to be properly configured with the necessary user attributes and mappings for successful authentication. Additionally, the FortiGate firewall must have connectivity to the LDAP server.

It is recommended to consult the FortiGate documentation or reach out to Fortinet support for specific configuration details based on your FortiGate firmware version and LDAP server setup.