diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 8d2a5cd..a5c8dc9 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -49,6 +49,42 @@
     project_src: "{{ nextcloud_docker_compose_dir }}"
     state: present
 
+# nextcloud/server#59629: UserConfig::getValueBool() passes a non-string from
+# getTypedValue() into strtolower() under PHP 8.x + OPcache, throwing a
+# TypeError on every authenticated request once user_ldap is involved. Fix
+# is in master (PR #59646) but no stable33 backport landed before 33.0.4.
+# Apply the (string) cast in-container; idempotent via grep guard. Remove
+# this block once nextcloud_image >= 33.0.4.
+- name: Discover nextcloud php containers needing the UserConfig patch
+  ansible.builtin.shell:
+    cmd: >-
+      docker ps --filter "label=com.docker.compose.project={{ nextcloud_docker_compose_dir | basename }}"
+      --filter "label=com.docker.compose.service=nextcloud"
+      --format '{% raw %}{{.Names}}{% endraw %}'
+  register: _nextcloud_php_containers
+  changed_when: false
+
+- name: Check UserConfig.php patch status per container
+  ansible.builtin.shell:
+    cmd: >-
+      docker exec {{ item }} grep -q "strtolower((string)" /var/www/html/lib/private/Config/UserConfig.php
+  loop: "{{ _nextcloud_php_containers.stdout_lines }}"
+  register: _nextcloud_userconfig_check
+  changed_when: false
+  failed_when: false
+
+- name: Apply UserConfig::getValueBool string-cast workaround
+  ansible.builtin.shell:
+    cmd: >-
+      docker exec {{ item.item }}
+      sed -i 's|$b = strtolower($this->getTypedValue|$b = strtolower((string)$this->getTypedValue|'
+      /var/www/html/lib/private/Config/UserConfig.php
+  loop: "{{ _nextcloud_userconfig_check.results }}"
+  loop_control:
+    label: "{{ item.item }}"
+  when:
+    - item.rc | default(1) != 0
+
 - name: Wait for Nextcloud to be ready
   ansible.builtin.shell:
     cmd: docker compose exec -T nextcloud php /var/www/html/occ status --output=json