I use a regular Domain User account for the LDAP queries.  It' s a dedicated account just to do the LDAP queries, so that way even if the account was compromised, it would have almost no other access.  I' m not sure if it makes a difference, but this account is in the same OU as the user accounts it is checking.
 
 P.S. When my first FortiGate unit was installed by a consultant, it was configured to use a Domain Administrator account (the Administrator account!).  I thought this was very poor practice to have such a sensitive account sitting with the password cached in reversible encryption on an Internet facing device.  Hence I re-configured it.