Hi Jon,
As per the CUCM design for LDAP, when both synchronization and LDAP authentication are enabled, the system always authenticates application users and end user PINs against the Cisco Unified Communications Manager database. End user passwords get authenticated against the corporate directory; thus, end users need to use their corporate directory password.
So this is the default behaviour of the CUCM LDAP authentication / Synchronization, you can refer the below Cisco SRND for CUCM 9.x
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/9x/directry.html#wp1070369
HTH,
Gifton Abel.