I use a regular Domain User account for the LDAP queries. It' s a dedicated account just to do the LDAP queries, so that way even if the account was compromised, it would have almost no other access. I' m not sure if it makes a difference, but this account is in the same OU as the user accounts it is checking.
P.S. When my first FortiGate unit was installed by a consultant, it was configured to use a Domain Administrator account (the Administrator account!). I thought this was very poor practice to have such a sensitive account sitting with the password cached in reversible encryption on an Internet facing device. Hence I re-configured it.