You may be able to glean a wee bit more info from the management API, if you have the object UID and you're willing to read through some deep logic. You can get the object UID with:
mgmt_cli -r true -f json show-objects filter LDAP-Servers |jq -r '.uid'
Then look at the object's properties and parameters:
mgmt_cli -r true -f json show-generic-object uid OBJECT_UID # replace OBJECT_UID with the actual object's UID
Careful reading through this output should give you a hint about where the object may be used. Look for references to things like a VPN authentication, or mobile access authentication.
I will wager that your gateway(s) have something like Mobile Access blade, or Endpoint VPN client authentication disabled right now, but may have been enabled previously. If you go back to the gateway properties, enable either Mobile Access blade or select VPN Clients -> Authentication, you will see the list of Authentication methods, and at least one of them may have an LDAP reference enabled. I had this on a customer gateway recently, too. Just because something is "disabled" in SmartConsole doesn't mean the object references were erased (they almost never are). GUIDBedit will show the same
If not VPN authentication, then you may have something configured in the gateway properties -> Other -> User Directory area, where the LDAP AU was referenced, perhaps when someone prior to you had tuned the LDAP server lookup order, but then something was disabled and again this reference was not removed.
Both GUIDBedit, and the "show-generic-object" API, will give you a clue as to where that object is being referenced.
Alternatively, you can look at the API server log on the management server ($FWDIR/log/cpm.elg and $FWDIR/log/api.elg). If you have the object UID, again you can search these logs to find where the API server complained about the error removing it. This may not be a perfect clue, however, but it may be helpful.
Good luck!
