I am currently using DB authentication but want to switch to AD / Hybrid. When I go to add users, it wants me to enter the username and password. I don’t know (and don’t want to) the passwords of the users. Shouldn’t I be able to browse the AD user list and assign roles w/o knowing the passwords? Surely, I am missing something. 
Yeah, thats not very intuitive, sorry.
You can’t browse the AD user list (this is tricky to support with AD through LDAP), so you do need to enter the usernames by hand to add their roles. The password section of that screen is an oversight - you can ignore it, it shouldn’t be there.
Thanks 
Ok, so I was slightly wrong - you have to enter a dummy password to satisfy the web form.
This has been fixed for the next release, the password fields are gone for AD/Hybrid role management.