How to enable LDAP auth for SFTP logins only

If I understand your question correctly, you are looking to provide only sftp service (that is, no interactive logins via ssh).

You can force connections to use the sftp service by adding this to your sshd_config file:

ForceCommand internal-sftp

This is documented in the sshd_config man page:

ForceCommand
  Forces the execution of the command specified by ForceCommand, ignoring any
  command supplied by the client and ~/.ssh/rc if present.  The command is
  invoked by using the user’s login shell with the -c option.  This applies to
  shell, command, or subsys- tem execution.  It is most useful inside a Match
  block.  The command originally supplied by the client is available in the
  SSH_ORIGINAL_COMMAND environment variable.  Specifying a command of
  “internal-sftp” will force the use of an in-process sftp server that requires
  no support files when used with ChrootDirectory.

You can modify /etc/pam.d/sshd to configure sshd to use the normal pam_ldap module rather than the pam module provided by Centrify.

With these configuration changes in place, sftp connections will use normal LDAP authentication, and interactive shells will not be available.

I don't think you could limit it in pam, but if you make all the users you want to constrict members of one group, you can have ssh restrict what those users could do via match group blah.