My impression regarding A) is, that the LDAP-extension-plugin does not support cleartext communication with the LDAP-server out of the box, so unless you explicitly set the option to use cleartext, you will be safe. Am I right?
The default is LDAP via StartTLS, and it is enforced. You can change to LDAPS or cleartext LDAP, if you so choose.
B) seems to be a little more complicated. If I don't want to use SSL for the whole wiki site (and I do want to avoid the additional processor load) I need to secure the login-page only or at least the data submitted to the wiki-server when the user clicks login. Are there extensions for this. Did anyone hack his installation so that the login-page is restricted to SSL? How do other LDAP-users handle this problem?
I believe there is a way to do this. You'll need to make sure your cookies are marked as secure, and the web server ensures that login pages are forced SSL. There used to be a configuration hack, but it looks like the documentation is no longer on mediawiki.org. I'd find it in the history, but it may be gone for a reason.
- Ryan Lane