diff --git a/src/adminserver/systemcfg/systemcfg.go b/src/adminserver/systemcfg/systemcfg.go
index 0ef4ce4eb..8d45cd654 100644
--- a/src/adminserver/systemcfg/systemcfg.go
+++ b/src/adminserver/systemcfg/systemcfg.go
@@ -35,6 +35,7 @@ import (
 const (
 	defaultJSONCfgStorePath string = "/etc/adminserver/config/config.json"
 	defaultKeyPath          string = "/etc/adminserver/key"
+	ldapScopeKey            string = "ldap_scope"
 )
 
 var (
@@ -274,6 +275,11 @@ func initCfgStore() (err error) {
 					log.Errorf("Failed to read old configuration from %s", path)
 					return err
 				}
+				// Update LDAP Scope for migration
+				// only used when migrating harbor release before v1.3
+				// after v1.3 there is always a db configuration before migrate.
+				validLdapScope(jsonconfig, true)
+
 				err = CfgStore.Write(jsonconfig)
 				if err != nil {
 					log.Error("Failed to update old configuration to database")
@@ -336,7 +342,7 @@ func LoadFromEnv(cfgs map[string]interface{}, all bool) error {
 
 		return fmt.Errorf("%v is not string or parse type", v)
 	}
-
+	validLdapScope(cfgs, false)
 	return nil
 }
 
@@ -356,3 +362,18 @@ func GetDatabaseFromCfg(cfg map[string]interface{}) *models.Database {
 	database.SQLite = sqlite
 	return database
 }
+
+// Valid LDAP Scope
+func validLdapScope(cfg map[string]interface{}, isMigrate bool) {
+	ldapScope := cfg[ldapScopeKey].(int)
+	if isMigrate && ldapScope > 0 && ldapScope < 3 {
+		ldapScope = ldapScope - 1
+	}
+	if ldapScope >= 3 {
+		ldapScope = 2
+	}
+	if ldapScope < 0 {
+		ldapScope = 0
+	}
+	cfg[ldapScopeKey] = ldapScope
+}
diff --git a/src/adminserver/systemcfg/systemcfg_test.go b/src/adminserver/systemcfg/systemcfg_test.go
index 887c5ae6f..000e4abdf 100644
--- a/src/adminserver/systemcfg/systemcfg_test.go
+++ b/src/adminserver/systemcfg/systemcfg_test.go
@@ -127,17 +127,54 @@ func TestLoadFromEnv(t *testing.T) {
 }
 
 func TestGetDatabaseFromCfg(t *testing.T) {
-	cfg  :=map[string]interface{} {
-		common.DatabaseType:"mysql",
-		common.MySQLDatabase:"registry",
-		common.MySQLHost:"127.0.0.1",
-		common.MySQLPort:3306,
-		common.MySQLPassword:"1234",
-		common.MySQLUsername:"root",
-		common.SQLiteFile:"/tmp/sqlite.db",
+	cfg := map[string]interface{}{
+		common.DatabaseType:  "mysql",
+		common.MySQLDatabase: "registry",
+		common.MySQLHost:     "127.0.0.1",
+		common.MySQLPort:     3306,
+		common.MySQLPassword: "1234",
+		common.MySQLUsername: "root",
+		common.SQLiteFile:    "/tmp/sqlite.db",
 	}
 
 	database := GetDatabaseFromCfg(cfg)
 
-	assert.Equal(t,"mysql",database.Type)
+	assert.Equal(t, "mysql", database.Type)
+}
+
+func TestValidLdapScope(t *testing.T) {
+	ldapScopeKey := "ldap_scope"
+	testCfgs := []struct {
+		config          map[string]interface{}
+		migrate         bool
+		ldapScopeResult int
+	}{
+		{map[string]interface{}{
+			ldapScopeKey: 1,
+		}, true, 0},
+		{map[string]interface{}{
+			ldapScopeKey: 2,
+		}, true, 1},
+		{map[string]interface{}{
+			ldapScopeKey: 3,
+		}, true, 2},
+		{map[string]interface{}{
+			ldapScopeKey: -1,
+		}, true, 0},
+		{map[string]interface{}{
+			ldapScopeKey: 100,
+		}, false, 2},
+		{map[string]interface{}{
+			ldapScopeKey: -100,
+		}, false, 0},
+	}
+
+	for i, item := range testCfgs {
+		validLdapScope(item.config, item.migrate)
+		if item.config[ldapScopeKey].(int) != item.ldapScopeResult {
+			t.Fatalf("Failed to update ldapScope expected %v, actual %v at index %v", item.ldapScopeResult, item.config[ldapScopeKey], i)
+		}
+
+	}
+
 }