what in the hell does LDAP, PAM or anything else you mentioned have to do with separating credentials from code? Those all still require credentials, they are not credential token stores.
Something like https://devcenter.heroku.com/articles/config-vars or https://kubernetes.io/docs/concepts/configuration/secret/ or https://www.vaultproject.io/ or a secure s3 bucket would all have been great answers. Hell, we used to use a mysql db with encrypted credentials over a REST interface as a token store.
Three thousand years of beautiful tradition, from Moses to Sandy Koufax, you're god damn right I'm living in the fucking past