Hicham,
Ephemeral ports refers to temporary ports that are opened when establishing a connection. The port used is dynamically chosen and can come from a broad range. The range used depends on the OS (typically). I thought it interesting that the CUCM port reference says that UCM communications to LDAP would use an ephemeral range. I haven't look at 8.5 closely but in previous versions the UCM is the client side of the LDAP communication. With Microsoft AD the server/listening ports would be:
TCP 389 For Domain Controllers (non-secure)
TCP 636 For Domain Controllers (over SSL or TLS if you prefer)
TCP 3268 For Global Catalog servers (non-secure)
TCP 3269 For Global Catalog servers (over SSL)
Depending on the size of your AD environment you may or may not want to prefer GC connections over DC. You have to make that design choice based on your environment.
In regards to where conversation may be failing, you can figure this out easy enough by:
a. Inserting a sniffer in the traffic stream to see what is happening.
b. Capturing a trace on the UCM server directly (via a SSH connection) OR
c. Logging on your FW
HTH.
Regards,
Bill