Sentry LDAP policies configured to use SSL (LDAPS) utilize the "global" system wide SSL Initiation policy. This SSL Initiation policy has server certificate validation enabled by default using the “DEFAULT” Signer Group. The DEFAULT Signer Group contains several well known CA certificates for providers such as Verisign, EnTrust, Thawte, etc.
If the LDAP server certificate is not signed by one of the CA certs included in the DEFAULT signer group, the "Server auth failed" error is thrown when Sentry attempts to connect to the LDAP server.
To resolve the problem, use a custom SSL Initiation policy with a custom Signer Group that contains the LDAP server's CA certs, or disable the server cert validation entirely on the SSL Initiation policy.
Set the custom SSL Initiation policy as the global policy on the System-->Settings-->System page. Note that other features of Sentry may also use this SSL Initiation policy. The most common use is for WSDL retrieval from HTTPS endpoints while building a WSDL policy.