Due to nature of the PPP protocol, we do support LDAP authentication on PPTP/L2TP only when PAP authentication protocol is used.
The LDAP based authentication for handshake protocols as CHAP/MSCHAP/MSCHAPv2 on PPP link types is not possible due to technology limitation.
As there is no plain text password available, FortiGate is unable to construct proper responses for handshake authentication types.
And authentication data provided by client do not contain password, so FortiGate has nothing to construct dialog towards LDAP as well.
According to my notes it was written in official documentation...
For example "FortiOS Handbook - Authentication" [ISBN 01-526-122870-20160309]
page 85 , chapter "Configuring authentication of L2TP VPN users/user groups"http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf
--- cit ---
"LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication.
However, with PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is
supported, while CHAP (Challenge Handshake Authentication Protocol) is not.
--- cit ---
Therefore if your PPTP client does not use PAP, then he will fail in authentication towards LDAP user group.
For example MS Windows or Android 2.3.5 clients uses MSCHAP/MSCHAPv2 as default protocol for credentials transfer.
I had link to page describing how to set PAP in L2TP native MSFT supplicant, but it's outdated.
If possible, I would go for full IPSec and not to L2TP, which I do not consider secure anymore.