Openfire prevents you from creating users if the configured UserProvider is read only.
However, when a user is created using the DefaultUserProvider, it uses the configured AuthProvider to set the password. If the AuthProvider does not support the setting of passwords (eg. the HybridAuthProvider), then a user will be created with a null password.
This means that the user is unable to login.
Note that attempting to reset the password via the admin console results in a "not supported" message.
I'm not sure what the correct approach should be;
1) Prevent the creation of users if the AuthProvider is read-only
2) Warn the administrator after creating the user that the password cannot be set, similar to the password reset.
3) Something else?