You would deal with a majority of your issues (having to install EAP-GTC, having to figure out what container to authenticate users to), if you switch to using a radius server, instead...
Typically you should just be able to use DC=Com, DC=Domain, but you might have to enable ldap debugging on your LDAP server to determine what is wrong.
Again, switching to radius for 802.1x is a better way to do encryption and it provides more opportunities for troubleshooting.