Hello @Eduardo DeGante ,
Thank you for posting here.
Q: I need to use LDAP (TLS - port 389) to sync users with a third-party app. Can I use a self-signed certificate or do I need to purchase one?
A: Yes, if the purpose of the certificate is specified in the certificate, you can use a self-signed certificate.
But we suggest Trusted CA Signed Certificate instead of self-signed certificate.
If you want to use a third-part CA, maybe you need to purchase.
Or you can consider using Windows CA with AD CS role installed and configured if needed.
Here is an article for your reference.
Why it’s always better to go with a Trusted CA Signed SSL Certificate over a Self Signed Certificate
https://cheapsslsecurity.com/blog/self-signed-ssl-versus-trusted-ca-signed-ssl-certificate/
Here is a similar case for your reference.
Self-signed SSL Cert or CA? [closed]
https://stackoverflow.com/questions/292732/self-signed-ssl-cert-or-ca
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.