Add a new user to run the framework code
    
    Add the apache user the ipawebui group.
    Make the ccaches directory owned by the ipawebui group and make
    mod_auth_gssapi write the ccache files as r/w by the apache user and
    the ipawebui group.
    Fix tmpfiles creation ownership and permissions to allow the user to
    access ccaches files.
    The webui framework now works as a separate user than apache, so the certs
    used to access the dogtag instance need to be usable by this new user as well.
    Both apache and the webui user are in the ipawebui group, so use that.
    
    https://fedorahosted.org/freeipa/ticket/5959
    
    Signed-off-by: Simo Sorce <simo@redhat.com>
    Reviewed-By: Jan Cholasta <jcholast@redhat.com>