If users are entering their username and password into the web form then yes, you should have all users reset their credentials, if you're using single sign-on (ie: kerberos) then you should be okay as this uses token based authentication behind the scenes.
Because the issue is undetectable, and you don't know what information has or hasn't been exposed, it's best practice to assume everything is compromised, and should be acted upon accordingly.
I have posted about HeartBleed here for more information - https://moodle.org/mod/forum/discuss.php?d=258211
Matt