I think jdrago_999 hit the nail on the head and you may have missed it. I'm no cryptographic genius but you haven't mentioned the keys. Access to the "password file" is a moot point after passwords are encrypted... almost.

I would encrypt each password with different keys so that the LDAP, web server, database password are encrypted with seperate keys. You could then limit access to the key files with ACLs. The scripts could only access the keys corresponding to the passwords they need.

With this concept something as simple as a serialized hash could contain the encrypted password data. Then you would access whatever password you needed by name via hash element. You could use Crypt::CBC to encrypt/decrypt the cyphertext and use them in your scripts.

The key here is (are?) the keys.