yes, the fingerprint can be left empty. The gateway will accept any fingerprint presented by LDAP/AD. That might be security violation, since there is no way of checking.

That is correct.
As I said, there's no way to automatically check or update the fingerprint.
Pretty certain LDAP Server objects do not have API support either (though maybe you can update via generic-object calls).

API is out of game here, but there must be a way how CP is able to figure out if fingerprint matches or not. Maybe some command like "fwm fingerprint" can be used to check fingerprint from LDAP. If there is some easy way, then some linux bash script can be created (for example to send a mail if fingerprint is changed on LDAP side)

The public key is communicated on first connection with the LDAP server as part of the initial TLS negotiation.
Which means you should be able to employ a technique like the following to obtain the fingerprint: https://askubuntu.com/questions/156620/how-to-verify-the-ssl-fingerprint-by-command-line-wget-curl 
(The Check Point binary for openssl is called cpopenssl)
Or, maybe more simply: see if the certificate has changed.

Ideally, this is probably the best approach.
Absent that, this points to a way this can be detected in a semi-automated fashion.

Microsoft will do this at it's own convinience sometimes after reaching 80% of it's life time. Preferably friday evening so it will take the longest time to get "resolved".

We have several customer that align with us to do this on a scheduled maintenance window for this particular activity. (Usually right after lunch.)

But the akward thing is that there is now design to validate new certificates based on their CA inside Check Point. Like someone still klings to the old putkey methods for this particular feature and CA's are not to be trusted.