For cdb there are these things you can do.
1) Wait till the PHP extensions fully work and the vpopmail deamon that the PHP extensions use fully work
First a little correction, the PHP extension and the vpopmail daemon are two different ways to do the same thing. The extension gives PHP direct access to the vpopmail library and should only be run in a closed environment because it trusts any PHP user. The daemon validates connections and limits access based on the current users' rights.
The next development version of vpopmail is very close to release. I'm waiting for some info from Ken on just what needs to be done next. The daemon and extension are well tested under CDB, very lightly tested under MySQL, and I don't believe anyone has even tried any other authentication back ends.
If I wasn't in the process of preparing for a release, I might consider putting it up on a live server, and intend to do so right after release.
If you already run a recent version of vpopmail, you should be able to compile the daemon and run it alongside your existing mail system. I have no doubt you can use it for password changes on CDB very easily.
You have to use the SourceFORGE CVS version from HEAD to get the daemon.
Then look at the utilities and the daemon interface here:
(If you are adventurous, install the whole thing from CVS and let us know how it goes... :)