FIY, Michael shared an idea that may help in your case yesterday. You could try to configure Cache Refresh feature in your new instance and point it out to your old instance's internal LDAP directory (may require some port opening/forwarding). Set it to request all user attributes you care to migrate, set mappings for them telling what imported attribute will correspond to what attribute of the new instance. You can also create CR script to modify values on the fly, if you need. You'll be able to set scope we talked about and apply any custom search filters you need in CR's properties.
The main benefit of this approach is that you won't need to generate inums by yourself, and export/import users manually, CR will do all this automagically, if configured right.
One possible downside is that it's not clear whether CR will be able to handle pre-encoded user passwords which user entries in you old instance contain, I suppose. Above I mentioned how to allow preencoded password import in your new instance, but no idea whether it will help in this case. Still worth a try.
Another possible problem is import of binary attributes, if you have some.
In any case, you can always exclude passwords from CR's list, and write a separate Python script afterwards which will iterate through all user entries in you old instance, getting their passwords, and will add them to corresponding entry of the new instance via LDAP. Still it's better approach, there is no need to care about inums and such this way.