Think the asnwer to that depends upon situation ... I work with K12 schools and corps. Some schools have tested their moodle with wireshark and went https ... all the corps went https.
I've not seen that much of a performance hit ... and one K12 implementation is used in a F-2-F/Blended sitiuaton ... ie, they hit it all day long and well into the night.
So your choices are: impact performance vs security of user credentials
Is the LDAP using LDAPS?
Config of LDAP is typically set to 'plain text'.
IF, someone were able to run wireshark vs your Moodle running http
what would wireshark be able to see?
Much depends upon the networks ... an ISD that has a private IP network where
the moodle server and the LDAP server are on the same private IP block (like a class A or class B) wireshark should be difficult to setup and run without detection.
IF, however, one has the Moodle server outside the private network and it's configured to talk to LDAP server internally then a wireshark setup could capture student credentials headed to/coming from the LDAP server.
If the entity used something else, like StoneWare, having a students credentials (login/password) would allow access to StoneWare and whatever apps/services were offered back inside the entity.
Then there is BYOD ... bring your own device ... wonder what sort of tools one
can install on a rooted smartphone or a tablet?
What would be definition of 'significantly impact performance'? That measured
how? Right now, for example, have you any baselines or performance data?
Page loads, for example, are they in an 'acceptable range'? Milliseconds to Seconds?
Actually, if one desires to use MDeploy (updating plugins from Moodle.org) it's best
if the client server (i.e., yours) is running https. Plus, if using resources
inside the Moodle that are https (like YouTube, Google, Vimeo, etc., etc.) those other services would prefer to talk to a 'client' over https connections vs http connections.
Given the state of the web these days, don't know that Moodle server admins really have a choice.
Bottom line, however, given the choice of performance vs security afraid that
security trumps ... especially considering what State/Federal legislation (in my country of course)
exist concerning handling of user credentials and protection of user data.
'spirit of sharing', Ken