Hi,
your free options would be 1) a self signed certificate 2) create your own certificate authority and sign the certificate using that (you can do this with OpenSSL very easily). The only benefit of paying for certificate over signing your own (in one way or another) is that if its signed by a well known public CA then other people will already have the CA certificate for that authority installed on their systems, and therefore will not receiving warning about your LDAP having an untrusted certificate installed. Or to give another (non LDAP) example, its important to have a certificate signed by a well know CA if you have a web site that customers will be using for secure transactions so they don't get scary warnings when they connect.
If its for an internal LDAP system then its probably unnecessary to pay to have a certificate signed by Verizon or whoever,
thanks Andy.
