If your CUCM is already using LDAP authentication for your administrators, you don't really have to do anything on the CUCM side - your third party password tool can just change the passwords on the downstream system. You will still have a few "local accounts" for things like the built-in-admin, all of your service accounts, etc - and you should probably leave those alone.